--- /dev/null
+From foo@baz Fri Sep 25 10:56:27 AM CEST 2020
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Sun, 20 Sep 2020 21:08:56 -0400
+Subject: bnxt_en: Protect bnxt_set_eee() and bnxt_set_pauseparam() with mutex.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit a53906908148d64423398a62c4435efb0d09652c ]
+
+All changes related to bp->link_info require the protection of the
+link_lock mutex. It's not sufficient to rely just on RTNL.
+
+Fixes: 163e9ef63641 ("bnxt_en: Fix race when modifying pause settings.")
+Reviewed-by: Edwin Peer <edwin.peer@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 31 ++++++++++++++--------
+ 1 file changed, 20 insertions(+), 11 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+@@ -1264,9 +1264,12 @@ static int bnxt_set_pauseparam(struct ne
+ if (!BNXT_SINGLE_PF(bp))
+ return -EOPNOTSUPP;
+
++ mutex_lock(&bp->link_lock);
+ if (epause->autoneg) {
+- if (!(link_info->autoneg & BNXT_AUTONEG_SPEED))
+- return -EINVAL;
++ if (!(link_info->autoneg & BNXT_AUTONEG_SPEED)) {
++ rc = -EINVAL;
++ goto pause_exit;
++ }
+
+ link_info->autoneg |= BNXT_AUTONEG_FLOW_CTRL;
+ if (bp->hwrm_spec_code >= 0x10201)
+@@ -1287,11 +1290,11 @@ static int bnxt_set_pauseparam(struct ne
+ if (epause->tx_pause)
+ link_info->req_flow_ctrl |= BNXT_LINK_PAUSE_TX;
+
+- if (netif_running(dev)) {
+- mutex_lock(&bp->link_lock);
++ if (netif_running(dev))
+ rc = bnxt_hwrm_set_pause(bp);
+- mutex_unlock(&bp->link_lock);
+- }
++
++pause_exit:
++ mutex_unlock(&bp->link_lock);
+ return rc;
+ }
+
+@@ -1977,8 +1980,7 @@ static int bnxt_set_eee(struct net_devic
+ struct bnxt *bp = netdev_priv(dev);
+ struct ethtool_eee *eee = &bp->eee;
+ struct bnxt_link_info *link_info = &bp->link_info;
+- u32 advertising =
+- _bnxt_fw_to_ethtool_adv_spds(link_info->advertising, 0);
++ u32 advertising;
+ int rc = 0;
+
+ if (!BNXT_SINGLE_PF(bp))
+@@ -1987,19 +1989,23 @@ static int bnxt_set_eee(struct net_devic
+ if (!(bp->flags & BNXT_FLAG_EEE_CAP))
+ return -EOPNOTSUPP;
+
++ mutex_lock(&bp->link_lock);
++ advertising = _bnxt_fw_to_ethtool_adv_spds(link_info->advertising, 0);
+ if (!edata->eee_enabled)
+ goto eee_ok;
+
+ if (!(link_info->autoneg & BNXT_AUTONEG_SPEED)) {
+ netdev_warn(dev, "EEE requires autoneg\n");
+- return -EINVAL;
++ rc = -EINVAL;
++ goto eee_exit;
+ }
+ if (edata->tx_lpi_enabled) {
+ if (bp->lpi_tmr_hi && (edata->tx_lpi_timer > bp->lpi_tmr_hi ||
+ edata->tx_lpi_timer < bp->lpi_tmr_lo)) {
+ netdev_warn(dev, "Valid LPI timer range is %d and %d microsecs\n",
+ bp->lpi_tmr_lo, bp->lpi_tmr_hi);
+- return -EINVAL;
++ rc = -EINVAL;
++ goto eee_exit;
+ } else if (!bp->lpi_tmr_hi) {
+ edata->tx_lpi_timer = eee->tx_lpi_timer;
+ }
+@@ -2009,7 +2015,8 @@ static int bnxt_set_eee(struct net_devic
+ } else if (edata->advertised & ~advertising) {
+ netdev_warn(dev, "EEE advertised %x must be a subset of autoneg advertised speeds %x\n",
+ edata->advertised, advertising);
+- return -EINVAL;
++ rc = -EINVAL;
++ goto eee_exit;
+ }
+
+ eee->advertised = edata->advertised;
+@@ -2021,6 +2028,8 @@ eee_ok:
+ if (netif_running(dev))
+ rc = bnxt_hwrm_set_link_setting(bp, false, true);
+
++eee_exit:
++ mutex_unlock(&bp->link_lock);
+ return rc;
+ }
+
--- /dev/null
+From foo@baz Fri Sep 25 10:56:27 AM CEST 2020
+From: Mark Gray <mark.d.gray@redhat.com>
+Date: Wed, 16 Sep 2020 05:19:35 -0400
+Subject: geneve: add transport ports in route lookup for geneve
+
+From: Mark Gray <mark.d.gray@redhat.com>
+
+[ Upstream commit 34beb21594519ce64a55a498c2fe7d567bc1ca20 ]
+
+This patch adds transport ports information for route lookup so that
+IPsec can select Geneve tunnel traffic to do encryption. This is
+needed for OVS/OVN IPsec with encrypted Geneve tunnels.
+
+This can be tested by configuring a host-host VPN using an IKE
+daemon and specifying port numbers. For example, for an
+Openswan-type configuration, the following parameters should be
+configured on both hosts and IPsec set up as-per normal:
+
+$ cat /etc/ipsec.conf
+
+conn in
+...
+left=$IP1
+right=$IP2
+...
+leftprotoport=udp/6081
+rightprotoport=udp
+...
+conn out
+...
+left=$IP1
+right=$IP2
+...
+leftprotoport=udp
+rightprotoport=udp/6081
+...
+
+The tunnel can then be setup using "ip" on both hosts (but
+changing the relevant IP addresses):
+
+$ ip link add tun type geneve id 1000 remote $IP2
+$ ip addr add 192.168.0.1/24 dev tun
+$ ip link set tun up
+
+This can then be tested by pinging from $IP1:
+
+$ ping 192.168.0.2
+
+Without this patch the traffic is unencrypted on the wire.
+
+Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels")
+Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
+Signed-off-by: Mark Gray <mark.d.gray@redhat.com>
+Reviewed-by: Greg Rose <gvrose8192@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/geneve.c | 37 +++++++++++++++++++++++++++----------
+ 1 file changed, 27 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/geneve.c
++++ b/drivers/net/geneve.c
+@@ -716,7 +716,8 @@ static struct rtable *geneve_get_v4_rt(s
+ struct net_device *dev,
+ struct geneve_sock *gs4,
+ struct flowi4 *fl4,
+- const struct ip_tunnel_info *info)
++ const struct ip_tunnel_info *info,
++ __be16 dport, __be16 sport)
+ {
+ bool use_cache = ip_tunnel_dst_cache_usable(skb, info);
+ struct geneve_dev *geneve = netdev_priv(dev);
+@@ -732,6 +733,8 @@ static struct rtable *geneve_get_v4_rt(s
+ fl4->flowi4_proto = IPPROTO_UDP;
+ fl4->daddr = info->key.u.ipv4.dst;
+ fl4->saddr = info->key.u.ipv4.src;
++ fl4->fl4_dport = dport;
++ fl4->fl4_sport = sport;
+
+ tos = info->key.tos;
+ if ((tos == 1) && !geneve->collect_md) {
+@@ -766,7 +769,8 @@ static struct dst_entry *geneve_get_v6_d
+ struct net_device *dev,
+ struct geneve_sock *gs6,
+ struct flowi6 *fl6,
+- const struct ip_tunnel_info *info)
++ const struct ip_tunnel_info *info,
++ __be16 dport, __be16 sport)
+ {
+ bool use_cache = ip_tunnel_dst_cache_usable(skb, info);
+ struct geneve_dev *geneve = netdev_priv(dev);
+@@ -782,6 +786,9 @@ static struct dst_entry *geneve_get_v6_d
+ fl6->flowi6_proto = IPPROTO_UDP;
+ fl6->daddr = info->key.u.ipv6.dst;
+ fl6->saddr = info->key.u.ipv6.src;
++ fl6->fl6_dport = dport;
++ fl6->fl6_sport = sport;
++
+ prio = info->key.tos;
+ if ((prio == 1) && !geneve->collect_md) {
+ prio = ip_tunnel_get_dsfield(ip_hdr(skb), skb);
+@@ -828,7 +835,9 @@ static int geneve_xmit_skb(struct sk_buf
+ __be16 df;
+ int err;
+
+- rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info);
++ sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
++ rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info,
++ geneve->info.key.tp_dst, sport);
+ if (IS_ERR(rt))
+ return PTR_ERR(rt);
+
+@@ -839,7 +848,6 @@ static int geneve_xmit_skb(struct sk_buf
+ skb_dst_update_pmtu(skb, mtu);
+ }
+
+- sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
+ if (geneve->collect_md) {
+ tos = ip_tunnel_ecn_encap(key->tos, ip_hdr(skb), skb);
+ ttl = key->ttl;
+@@ -874,7 +882,9 @@ static int geneve6_xmit_skb(struct sk_bu
+ __be16 sport;
+ int err;
+
+- dst = geneve_get_v6_dst(skb, dev, gs6, &fl6, info);
++ sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
++ dst = geneve_get_v6_dst(skb, dev, gs6, &fl6, info,
++ geneve->info.key.tp_dst, sport);
+ if (IS_ERR(dst))
+ return PTR_ERR(dst);
+
+@@ -885,7 +895,6 @@ static int geneve6_xmit_skb(struct sk_bu
+ skb_dst_update_pmtu(skb, mtu);
+ }
+
+- sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
+ if (geneve->collect_md) {
+ prio = ip_tunnel_ecn_encap(key->tos, ip_hdr(skb), skb);
+ ttl = key->ttl;
+@@ -963,13 +972,18 @@ static int geneve_fill_metadata_dst(stru
+ {
+ struct ip_tunnel_info *info = skb_tunnel_info(skb);
+ struct geneve_dev *geneve = netdev_priv(dev);
++ __be16 sport;
+
+ if (ip_tunnel_info_af(info) == AF_INET) {
+ struct rtable *rt;
+ struct flowi4 fl4;
++
+ struct geneve_sock *gs4 = rcu_dereference(geneve->sock4);
++ sport = udp_flow_src_port(geneve->net, skb,
++ 1, USHRT_MAX, true);
+
+- rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info);
++ rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info,
++ geneve->info.key.tp_dst, sport);
+ if (IS_ERR(rt))
+ return PTR_ERR(rt);
+
+@@ -979,9 +993,13 @@ static int geneve_fill_metadata_dst(stru
+ } else if (ip_tunnel_info_af(info) == AF_INET6) {
+ struct dst_entry *dst;
+ struct flowi6 fl6;
++
+ struct geneve_sock *gs6 = rcu_dereference(geneve->sock6);
++ sport = udp_flow_src_port(geneve->net, skb,
++ 1, USHRT_MAX, true);
+
+- dst = geneve_get_v6_dst(skb, dev, gs6, &fl6, info);
++ dst = geneve_get_v6_dst(skb, dev, gs6, &fl6, info,
++ geneve->info.key.tp_dst, sport);
+ if (IS_ERR(dst))
+ return PTR_ERR(dst);
+
+@@ -992,8 +1010,7 @@ static int geneve_fill_metadata_dst(stru
+ return -EINVAL;
+ }
+
+- info->key.tp_src = udp_flow_src_port(geneve->net, skb,
+- 1, USHRT_MAX, true);
++ info->key.tp_src = sport;
+ info->key.tp_dst = geneve->info.key.tp_dst;
+ return 0;
+ }
--- /dev/null
+From foo@baz Fri Sep 25 10:56:27 AM CEST 2020
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 9 Sep 2020 12:46:48 +0300
+Subject: hdlc_ppp: add range checks in ppp_cp_parse_cr()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 66d42ed8b25b64eb63111a2b8582c5afc8bf1105 ]
+
+There are a couple bugs here:
+1) If opt[1] is zero then this results in a forever loop. If the value
+ is less than 2 then it is invalid.
+2) It assumes that "len" is more than sizeof(valid_accm) or 6 which can
+ result in memory corruption.
+
+In the case of LCP_OPTION_ACCM, then we should check "opt[1]" instead
+of "len" because, if "opt[1]" is less than sizeof(valid_accm) then
+"nak_len" gets out of sync and it can lead to memory corruption in the
+next iterations through the loop. In case of LCP_OPTION_MAGIC, the
+only valid value for opt[1] is 6, but the code is trying to log invalid
+data so we should only discard the data when "len" is less than 6
+because that leads to a read overflow.
+
+Reported-by: ChenNan Of Chaitin Security Research Lab <whutchennan@gmail.com>
+Fixes: e022c2f07ae5 ("WAN: new synchronous PPP implementation for generic HDLC.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wan/hdlc_ppp.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wan/hdlc_ppp.c
++++ b/drivers/net/wan/hdlc_ppp.c
+@@ -386,11 +386,8 @@ static void ppp_cp_parse_cr(struct net_d
+ }
+
+ for (opt = data; len; len -= opt[1], opt += opt[1]) {
+- if (len < 2 || len < opt[1]) {
+- dev->stats.rx_errors++;
+- kfree(out);
+- return; /* bad packet, drop silently */
+- }
++ if (len < 2 || opt[1] < 2 || len < opt[1])
++ goto err_out;
+
+ if (pid == PID_LCP)
+ switch (opt[0]) {
+@@ -398,6 +395,8 @@ static void ppp_cp_parse_cr(struct net_d
+ continue; /* MRU always OK and > 1500 bytes? */
+
+ case LCP_OPTION_ACCM: /* async control character map */
++ if (opt[1] < sizeof(valid_accm))
++ goto err_out;
+ if (!memcmp(opt, valid_accm,
+ sizeof(valid_accm)))
+ continue;
+@@ -409,6 +408,8 @@ static void ppp_cp_parse_cr(struct net_d
+ }
+ break;
+ case LCP_OPTION_MAGIC:
++ if (len < 6)
++ goto err_out;
+ if (opt[1] != 6 || (!opt[2] && !opt[3] &&
+ !opt[4] && !opt[5]))
+ break; /* reject invalid magic number */
+@@ -427,6 +428,11 @@ static void ppp_cp_parse_cr(struct net_d
+ ppp_cp_event(dev, pid, RCR_GOOD, CP_CONF_ACK, id, req_len, data);
+
+ kfree(out);
++ return;
++
++err_out:
++ dev->stats.rx_errors++;
++ kfree(out);
+ }
+
+ static int ppp_rx(struct sk_buff *skb)
--- /dev/null
+From foo@baz Fri Sep 25 10:56:27 AM CEST 2020
+From: Wei Wang <weiwan@google.com>
+Date: Tue, 8 Sep 2020 14:09:34 -0700
+Subject: ip: fix tos reflection in ack and reset packets
+
+From: Wei Wang <weiwan@google.com>
+
+[ Upstream commit ba9e04a7ddf4f22a10e05bf9403db6b97743c7bf ]
+
+Currently, in tcp_v4_reqsk_send_ack() and tcp_v4_send_reset(), we
+echo the TOS value of the received packets in the response.
+However, we do not want to echo the lower 2 ECN bits in accordance
+with RFC 3168 6.1.5 robustness principles.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+
+Signed-off-by: Wei Wang <weiwan@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_output.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -73,6 +73,7 @@
+ #include <net/icmp.h>
+ #include <net/checksum.h>
+ #include <net/inetpeer.h>
++#include <net/inet_ecn.h>
+ #include <net/lwtunnel.h>
+ #include <linux/bpf-cgroup.h>
+ #include <linux/igmp.h>
+@@ -1562,7 +1563,7 @@ void ip_send_unicast_reply(struct sock *
+ if (IS_ERR(rt))
+ return;
+
+- inet_sk(sk)->tos = arg->tos;
++ inet_sk(sk)->tos = arg->tos & ~INET_ECN_MASK;
+
+ sk->sk_priority = skb->priority;
+ sk->sk_protocol = ip_hdr(skb)->protocol;
--- /dev/null
+From foo@baz Fri Sep 25 10:42:33 AM CEST 2020
+From: David Ahern <dsahern@kernel.org>
+Date: Mon, 14 Sep 2020 21:03:54 -0600
+Subject: ipv4: Update exception handling for multipath routes via same device
+
+From: David Ahern <dsahern@kernel.org>
+
+[ Upstream commit 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 ]
+
+Kfir reported that pmtu exceptions are not created properly for
+deployments where multipath routes use the same device.
+
+After some digging I see 2 compounding problems:
+1. ip_route_output_key_hash_rcu is updating the flowi4_oif *after*
+ the route lookup. This is the second use case where this has
+ been a problem (the first is related to use of vti devices with
+ VRF). I can not find any reason for the oif to be changed after the
+ lookup; the code goes back to the start of git. It does not seem
+ logical so remove it.
+
+2. fib_lookups for exceptions do not call fib_select_path to handle
+ multipath route selection based on the hash.
+
+The end result is that the fib_lookup used to add the exception
+always creates it based using the first leg of the route.
+
+An example topology showing the problem:
+
+ | host1
+ +------+
+ | eth0 | .209
+ +------+
+ |
+ +------+
+ switch | br0 |
+ +------+
+ |
+ +---------+---------+
+ | host2 | host3
+ +------+ +------+
+ | eth0 | .250 | eth0 | 192.168.252.252
+ +------+ +------+
+
+ +-----+ +-----+
+ | vti | .2 | vti | 192.168.247.3
+ +-----+ +-----+
+ \ /
+ =================================
+ tunnels
+ 192.168.247.1/24
+
+for h in host1 host2 host3; do
+ ip netns add ${h}
+ ip -netns ${h} link set lo up
+ ip netns exec ${h} sysctl -wq net.ipv4.ip_forward=1
+done
+
+ip netns add switch
+ip -netns switch li set lo up
+ip -netns switch link add br0 type bridge stp 0
+ip -netns switch link set br0 up
+
+for n in 1 2 3; do
+ ip -netns switch link add eth-sw type veth peer name eth-h${n}
+ ip -netns switch li set eth-h${n} master br0 up
+ ip -netns switch li set eth-sw netns host${n} name eth0
+done
+
+ip -netns host1 addr add 192.168.252.209/24 dev eth0
+ip -netns host1 link set dev eth0 up
+ip -netns host1 route add 192.168.247.0/24 \
+ nexthop via 192.168.252.250 dev eth0 nexthop via 192.168.252.252 dev eth0
+
+ip -netns host2 addr add 192.168.252.250/24 dev eth0
+ip -netns host2 link set dev eth0 up
+
+ip -netns host2 addr add 192.168.252.252/24 dev eth0
+ip -netns host3 link set dev eth0 up
+
+ip netns add tunnel
+ip -netns tunnel li set lo up
+ip -netns tunnel li add br0 type bridge
+ip -netns tunnel li set br0 up
+for n in $(seq 11 20); do
+ ip -netns tunnel addr add dev br0 192.168.247.${n}/24
+done
+
+for n in 2 3
+do
+ ip -netns tunnel link add vti${n} type veth peer name eth${n}
+ ip -netns tunnel link set eth${n} mtu 1360 master br0 up
+ ip -netns tunnel link set vti${n} netns host${n} mtu 1360 up
+ ip -netns host${n} addr add dev vti${n} 192.168.247.${n}/24
+done
+ip -netns tunnel ro add default nexthop via 192.168.247.2 nexthop via 192.168.247.3
+
+ip netns exec host1 ping -M do -s 1400 -c3 -I 192.168.252.209 192.168.247.11
+ip netns exec host1 ping -M do -s 1400 -c3 -I 192.168.252.209 192.168.247.15
+ip -netns host1 ro ls cache
+
+Before this patch the cache always shows exceptions against the first
+leg in the multipath route; 192.168.252.250 per this example. Since the
+hash has an initial random seed, you may need to vary the final octet
+more than what is listed. In my tests, using addresses between 11 and 19
+usually found 1 that used both legs.
+
+With this patch, the cache will have exceptions for both legs.
+
+Fixes: 4895c771c7f0 ("ipv4: Add FIB nexthop exceptions")
+Reported-by: Kfir Itzhak <mastertheknife@gmail.com>
+Signed-off-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -794,6 +794,8 @@ static void __ip_do_redirect(struct rtab
+ if (fib_lookup(net, fl4, &res, 0) == 0) {
+ struct fib_nh *nh = &FIB_RES_NH(res);
+
++ fib_select_path(net, &res, fl4, skb);
++ nh = &FIB_RES_NH(res);
+ update_or_create_fnhe(nh, fl4->daddr, new_gw,
+ 0, false,
+ jiffies + ip_rt_gc_timeout);
+@@ -1010,6 +1012,7 @@ out: kfree_skb(skb);
+ static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu)
+ {
+ struct dst_entry *dst = &rt->dst;
++ struct net *net = dev_net(dst->dev);
+ u32 old_mtu = ipv4_mtu(dst);
+ struct fib_result res;
+ bool lock = false;
+@@ -1030,9 +1033,11 @@ static void __ip_rt_update_pmtu(struct r
+ return;
+
+ rcu_read_lock();
+- if (fib_lookup(dev_net(dst->dev), fl4, &res, 0) == 0) {
+- struct fib_nh *nh = &FIB_RES_NH(res);
++ if (fib_lookup(net, fl4, &res, 0) == 0) {
++ struct fib_nh *nh;
+
++ fib_select_path(net, &res, fl4, NULL);
++ nh = &FIB_RES_NH(res);
+ update_or_create_fnhe(nh, fl4->daddr, 0, mtu, lock,
+ jiffies + ip_rt_mtu_expires);
+ }
+@@ -2505,8 +2510,6 @@ struct rtable *ip_route_output_key_hash_
+ fib_select_path(net, res, fl4, skb);
+
+ dev_out = FIB_RES_DEV(*res);
+- fl4->flowi4_oif = dev_out->ifindex;
+-
+
+ make_route:
+ rth = __mkroute_output(res, fl4, orig_oif, dev_out, flags);
--- /dev/null
+From foo@baz Fri Sep 25 10:56:27 AM CEST 2020
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 9 Sep 2020 01:27:40 -0700
+Subject: net: add __must_check to skb_put_padto()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 4a009cb04aeca0de60b73f37b102573354214b52 ]
+
+skb_put_padto() and __skb_put_padto() callers
+must check return values or risk use-after-free.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/skbuff.h | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -2999,8 +2999,9 @@ static inline int skb_padto(struct sk_bu
+ * is untouched. Otherwise it is extended. Returns zero on
+ * success. The skb is freed on error if @free_on_error is true.
+ */
+-static inline int __skb_put_padto(struct sk_buff *skb, unsigned int len,
+- bool free_on_error)
++static inline int __must_check __skb_put_padto(struct sk_buff *skb,
++ unsigned int len,
++ bool free_on_error)
+ {
+ unsigned int size = skb->len;
+
+@@ -3023,7 +3024,7 @@ static inline int __skb_put_padto(struct
+ * is untouched. Otherwise it is extended. Returns zero on
+ * success. The skb is freed on error.
+ */
+-static inline int skb_put_padto(struct sk_buff *skb, unsigned int len)
++static inline int __must_check skb_put_padto(struct sk_buff *skb, unsigned int len)
+ {
+ return __skb_put_padto(skb, len, true);
+ }
--- /dev/null
+From foo@baz Fri Sep 25 10:56:27 AM CEST 2020
+From: Necip Fazil Yildiran <fazilyildiran@gmail.com>
+Date: Thu, 17 Sep 2020 19:46:43 +0300
+Subject: net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC
+
+From: Necip Fazil Yildiran <fazilyildiran@gmail.com>
+
+[ Upstream commit db7cd91a4be15e1485d6b58c6afc8761c59c4efb ]
+
+When IPV6_SEG6_HMAC is enabled and CRYPTO is disabled, it results in the
+following Kbuild warning:
+
+WARNING: unmet direct dependencies detected for CRYPTO_HMAC
+ Depends on [n]: CRYPTO [=n]
+ Selected by [y]:
+ - IPV6_SEG6_HMAC [=y] && NET [=y] && INET [=y] && IPV6 [=y]
+
+WARNING: unmet direct dependencies detected for CRYPTO_SHA1
+ Depends on [n]: CRYPTO [=n]
+ Selected by [y]:
+ - IPV6_SEG6_HMAC [=y] && NET [=y] && INET [=y] && IPV6 [=y]
+
+WARNING: unmet direct dependencies detected for CRYPTO_SHA256
+ Depends on [n]: CRYPTO [=n]
+ Selected by [y]:
+ - IPV6_SEG6_HMAC [=y] && NET [=y] && INET [=y] && IPV6 [=y]
+
+The reason is that IPV6_SEG6_HMAC selects CRYPTO_HMAC, CRYPTO_SHA1, and
+CRYPTO_SHA256 without depending on or selecting CRYPTO while those configs
+are subordinate to CRYPTO.
+
+Honor the kconfig menu hierarchy to remove kconfig dependency warnings.
+
+Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support")
+Signed-off-by: Necip Fazil Yildiran <fazilyildiran@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv6/Kconfig
++++ b/net/ipv6/Kconfig
+@@ -321,6 +321,7 @@ config IPV6_SEG6_LWTUNNEL
+ config IPV6_SEG6_HMAC
+ bool "IPv6: Segment Routing HMAC support"
+ depends on IPV6
++ select CRYPTO
+ select CRYPTO_HMAC
+ select CRYPTO_SHA1
+ select CRYPTO_SHA256
--- /dev/null
+From foo@baz Fri Sep 25 10:56:27 AM CEST 2020
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Wed, 16 Sep 2020 20:43:09 -0700
+Subject: net: phy: Avoid NPD upon phy_detach() when driver is unbound
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit c2b727df7caa33876e7066bde090f40001b6d643 ]
+
+If we have unbound the PHY driver prior to calling phy_detach() (often
+via phy_disconnect()) then we can cause a NULL pointer de-reference
+accessing the driver owner member. The steps to reproduce are:
+
+echo unimac-mdio-0:01 > /sys/class/net/eth0/phydev/driver/unbind
+ip link set eth0 down
+
+Fixes: cafe8df8b9bc ("net: phy: Fix lack of reference count on PHY driver")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/phy_device.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -1121,7 +1121,8 @@ void phy_detach(struct phy_device *phyde
+
+ phy_led_triggers_unregister(phydev);
+
+- module_put(phydev->mdio.dev.driver->owner);
++ if (phydev->mdio.dev.driver)
++ module_put(phydev->mdio.dev.driver->owner);
+
+ /* If the device had no specific driver before (i.e. - it
+ * was using the generic driver), we unbind the device
Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- drivers/infiniband/core/ucma.c | 6 +++---
+ drivers/infiniband/core/ucma.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
-diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
-index c3e5f921da12e..4002a8ddf6d0a 100644
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
-@@ -1315,13 +1315,13 @@ static ssize_t ucma_set_option(struct ucma_file *file, const char __user *inbuf,
+@@ -1315,13 +1315,13 @@ static ssize_t ucma_set_option(struct uc
if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
return -EFAULT;
optval = memdup_user((void __user *) (unsigned long) cmd.optval,
cmd.optlen);
if (IS_ERR(optval)) {
---
-2.25.1
-
kprobes-fix-kill-kprobe-which-has-been-marked-as-gon.patch
mm-thp-fix-__split_huge_pmd_locked-for-migration-pmd.patch
rdma-ucma-ucma_context-reference-leak-in-error-path.patch
+hdlc_ppp-add-range-checks-in-ppp_cp_parse_cr.patch
+ip-fix-tos-reflection-in-ack-and-reset-packets.patch
+net-ipv6-fix-kconfig-dependency-warning-for-ipv6_seg6_hmac.patch
+tipc-fix-shutdown-of-connection-oriented-socket.patch
+tipc-use-skb_unshare-instead-in-tipc_buf_append.patch
+bnxt_en-protect-bnxt_set_eee-and-bnxt_set_pauseparam-with-mutex.patch
+net-phy-avoid-npd-upon-phy_detach-when-driver-is-unbound.patch
+net-add-__must_check-to-skb_put_padto.patch
+ipv4-update-exception-handling-for-multipath-routes-via-same-device.patch
+geneve-add-transport-ports-in-route-lookup-for-geneve.patch
--- /dev/null
+From foo@baz Fri Sep 25 10:56:27 AM CEST 2020
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Sat, 5 Sep 2020 15:14:47 +0900
+Subject: tipc: fix shutdown() of connection oriented socket
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit a4b5cc9e10803ecba64a7d54c0f47e4564b4a980 ]
+
+I confirmed that the problem fixed by commit 2a63866c8b51a3f7 ("tipc: fix
+shutdown() of connectionless socket") also applies to stream socket.
+
+----------
+#include <sys/socket.h>
+#include <unistd.h>
+#include <sys/wait.h>
+
+int main(int argc, char *argv[])
+{
+ int fds[2] = { -1, -1 };
+ socketpair(PF_TIPC, SOCK_STREAM /* or SOCK_DGRAM */, 0, fds);
+ if (fork() == 0)
+ _exit(read(fds[0], NULL, 1));
+ shutdown(fds[0], SHUT_RDWR); /* This must make read() return. */
+ wait(NULL); /* To be woken up by _exit(). */
+ return 0;
+}
+----------
+
+Since shutdown(SHUT_RDWR) should affect all processes sharing that socket,
+unconditionally setting sk->sk_shutdown to SHUTDOWN_MASK will be the right
+behavior.
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Acked-by: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/socket.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -2126,10 +2126,7 @@ static int tipc_shutdown(struct socket *
+ lock_sock(sk);
+
+ __tipc_shutdown(sock, TIPC_CONN_SHUTDOWN);
+- if (tipc_sk_type_connectionless(sk))
+- sk->sk_shutdown = SHUTDOWN_MASK;
+- else
+- sk->sk_shutdown = SEND_SHUTDOWN;
++ sk->sk_shutdown = SHUTDOWN_MASK;
+
+ if (sk->sk_state == TIPC_DISCONNECTING) {
+ /* Discard any unreceived messages */
--- /dev/null
+From foo@baz Fri Sep 25 10:56:27 AM CEST 2020
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 13 Sep 2020 19:37:31 +0800
+Subject: tipc: use skb_unshare() instead in tipc_buf_append()
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit ff48b6222e65ebdba5a403ef1deba6214e749193 ]
+
+In tipc_buf_append() it may change skb's frag_list, and it causes
+problems when this skb is cloned. skb_unclone() doesn't really
+make this skb's flag_list available to change.
+
+Shuang Li has reported an use-after-free issue because of this
+when creating quite a few macvlan dev over the same dev, where
+the broadcast packets will be cloned and go up to the stack:
+
+ [ ] BUG: KASAN: use-after-free in pskb_expand_head+0x86d/0xea0
+ [ ] Call Trace:
+ [ ] dump_stack+0x7c/0xb0
+ [ ] print_address_description.constprop.7+0x1a/0x220
+ [ ] kasan_report.cold.10+0x37/0x7c
+ [ ] check_memory_region+0x183/0x1e0
+ [ ] pskb_expand_head+0x86d/0xea0
+ [ ] process_backlog+0x1df/0x660
+ [ ] net_rx_action+0x3b4/0xc90
+ [ ]
+ [ ] Allocated by task 1786:
+ [ ] kmem_cache_alloc+0xbf/0x220
+ [ ] skb_clone+0x10a/0x300
+ [ ] macvlan_broadcast+0x2f6/0x590 [macvlan]
+ [ ] macvlan_process_broadcast+0x37c/0x516 [macvlan]
+ [ ] process_one_work+0x66a/0x1060
+ [ ] worker_thread+0x87/0xb10
+ [ ]
+ [ ] Freed by task 3253:
+ [ ] kmem_cache_free+0x82/0x2a0
+ [ ] skb_release_data+0x2c3/0x6e0
+ [ ] kfree_skb+0x78/0x1d0
+ [ ] tipc_recvmsg+0x3be/0xa40 [tipc]
+
+So fix it by using skb_unshare() instead, which would create a new
+skb for the cloned frag and it'll be safe to change its frag_list.
+The similar things were also done in sctp_make_reassembled_event(),
+which is using skb_copy().
+
+Reported-by: Shuang Li <shuali@redhat.com>
+Fixes: 37e22164a8a3 ("tipc: rename and move message reassembly function")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/msg.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/msg.c
++++ b/net/tipc/msg.c
+@@ -140,7 +140,8 @@ int tipc_buf_append(struct sk_buff **hea
+ if (fragid == FIRST_FRAGMENT) {
+ if (unlikely(head))
+ goto err;
+- if (unlikely(skb_unclone(frag, GFP_ATOMIC)))
++ frag = skb_unshare(frag, GFP_ATOMIC);
++ if (unlikely(!frag))
+ goto err;
+ head = *headbuf = frag;
+ *buf = NULL;
projects / thirdparty / kernel / stable-queue.git / commitdiff
